[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] arbitrary routes not working


  • Subject: [Openvpn-users] arbitrary routes not working
  • From: Florin Andrei <florin@xxxxxxxxxxxxxxx>
  • Date: Wed, 28 Jan 2004 11:11:45 -0800

Now i know why there are so many raving user testimonials: those are
probably people like me who, after banging their heads in the IPSec
wall, suddenly stumble upon OpenVPN and poof! everything works. :-)

Well, almost everything. I can't seem to find a way to add static routes
through the tunnel.

My OpenVPN server is on Linux, i'm using the bridging model, i'm testing
with a Win2K road-warrior. The OpenVPN version is 1.6beta1

The Linux thing is a classic 3-interface firewall, eth2 facing the
Internet, eth1 facing the internal network on a private 192.168.1.0/24
address space (will be NATed once i finish up the VPN configuration, now
i'm only playing with dummy systems), eth0 facing a /26 DMZ on public
addresses which is not NATed but is publicly accessible (only slightly
filtered with iptables).

My goals are:
- to assign the road-warrior an address in the internal, private address
space and let it see the internal network
- to make the tunnel work through whatever firewall may happen to be on
the road-warrior side (NATing or not)
- to enable the road warrior to access the DMZ (which is on public,
non-NATed addresses) through the VPN tunnel

I can easily achieve the first 2 goals, thanks to this excellent piece
of software which is OpenVPN.
I cannot achieve the 3rd goal.

I'll describe first my entire configuration. At the end of this message
i'll describe the symptoms.

Here's the config file on the client (public addresses are obfuscated):

########### road-warrior ############
remote X.Y.Z.189
port 5000
dev tap
fragment 1400
mssfix
ifconfig 192.168.1.252 255.255.255.0
ifconfig-nowarn
#route X.Y.Z.192 255.255.255.192 vpn_gateway
secret test-key.txt
ping 10
verb 3
#####################################

Here's the config on the server (some obfuscation may occur :-D):

############### server ##############
local X.Y.Z.189
port 5000
dev tap0
fragment 1400
mssfix
secret test-key.txt
persist-key
persist-tun
ping-timer-rem
ping-restart 60
ping 10
user xxxxxx
group xxxxxx
verb 3
#####################################

Here's the script i used on the server to fire up the bridging stuff
(lots of "sleep 1" otherwise eth1 got mangled):

########## warp engines on ##########
maxtap=15
. /etc/sysconfig/network-scripts/ifcfg-eth1
modprobe tun
modprobe bridge
ifconfig eth1 down
for i in `seq 0 ${maxtap}`; do
    openvpn --mktun --dev tap${i}
done
sleep 1
brctl addbr br0
brctl addif br0 eth1
sleep 1
for i in `seq 0 ${maxtap}`; do
    brctl addif br0 tap${i}
done
sleep 1
for i in `seq 0 ${maxtap}`; do
    ifconfig tap${i} 0.0.0.0 promisc up
done
sleep 1
ifconfig eth1 0.0.0.0 promisc up
sleep 1
ifconfig br0 ${IPADDR} netmask ${NETMASK} broadcast ${BROADCAST}
#####################################

Here's the routing table on the server (some addresses mangled, some
less important columns deleted altogether):

########### server routes ###########
Destination Gateway   Genmask         Iface
X.Y.Z.192   0.0.0.0   255.255.255.192 eth0
X.Y.Z.128   0.0.0.0   255.255.255.192 eth2
192.168.1.0 0.0.0.0   255.255.255.0   br0
127.0.0.0   0.0.0.0   255.0.0.0       lo
0.0.0.0     X.Y.Z.129 0.0.0.0         eth2
#####################################

eth0 is the DMZ. That's the network i want to route through the tunnel.
But if i go to the road-warrior OVPN config and i uncomment the route
statement, then restart the OVPN service, nothing works. Even the
internal network tunneling doesn't work anymore. Comment the route
statement out, and then i can see the internal net through the tunnel
and everything is fine (and it works pretty damn well) except that i
access the DMZ through the "outside" not through the tunnel.

So it's not that the route just doesn't work, but the route statement
seems to break everything altogether.

I mangled the route statement, adding 0 at the end and stuff like that.
It didn't help.

I am probably doing something wrong, but i can't figure out what. Any
ideas?
Thanks,

-- 
Florin Andrei

http://florin.myip.org/



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users